The Honeynet Project - botnethttp://honeynet.org/taxonomy/term/223/0
enResponse to "How Microsoft Appointed Itself Sheriff of the Internet" (Part 2)http://honeynet.org/node/1209
<p>In the <a href="https://staff.washington.edu/dittrich/home/blog/wired-response-p1.html#wiredp1">first part</a> of this two part blog post, the issue of anticipating retaliation during an aggressive battle to wrest control of a DDoS botnet was examined. In this part, the issues of dual standards, taking responsibility, and learning lessons to make positive change over time are examined.<br />
&nbsp;<br />
<a href="https://staff.washington.edu/dittrich/home/blog/wired-response-p2.html">Read full post here...</a></p>
botnetCitadelcivil processcriminal processDamballaDDoSintegrityMariposaMicrosoftSymanteczeusFri, 27 Feb 2015 19:38:10 +0000david.dittrich1209 at http://honeynet.orgResponse to "How Microsoft Appointed Itself Sheriff of the Internet" (Part 1)http://honeynet.org/node/1206
<p>This blog post is the first of a two-part series in response to the Wired article of Oct 14, 2014, "<a href="http://www.wired.com/2014/10/microsoft-pinkerton/">How Microsoft Appointed Itself Sheriff of the Internet</a>." [McM14] I find some problems with this article that raise questions about the depth of research into some elements of the story, and an appearance of bias in how "unintended consequences" are presented.</p>
<p>[McM14] Robert McMillan. How Microsoft Appointed Itself Sheriff of the Internet. <a href="http://www.wired.com/2014/10/microsoft-pinkerton/">http://www.wired.com/2014/10/microsoft-pinkerton/</a>, October 2014.</p>
<p><a href="https://staff.washington.edu/dittrich/home/blog/wired-response-p1.html">Read full post here...</a></p>
<p><a href="http://honeynet.org/node/1206" target="_blank">read more</a></p>botnetcivil processcriminal processDDoSMariposaMicrosoftTue, 17 Feb 2015 02:24:13 +0000david.dittrich1206 at http://honeynet.orgUnveiling Dorothy2: a malware/botnet analysis framework written in Ruby.http://honeynet.org/node/1066
<p>Howdy all,<br />
I've the pleasure to *finally* unveil the second version of Dorothy: a malware/botnet analysis framework written in Ruby.</p>
<p>Dorothy2 is a framework created for mass malware analysis. Currently, it is mainly based on analyzing the network behavior of a virtual machine where a suspicious executable was executed. However, static binary analysis and system behavior analysis will be shortly introduced in further versions.</p>
<p><a href="http://honeynet.org/node/1066" target="_blank">read more</a></p>botnetDorothymalwaresandboxItalian ChapterSun, 09 Jun 2013 23:01:27 +0000marco.riccardi1066 at http://honeynet.orgA new infosec era? Or a new infosec error?http://honeynet.org/node/1031
<p>On March 4, 2013, a contest was held at the Nullcon conference in Goa, India, to see who could take over a botnet. The Times of India reported that <a href="http://timesofindia.indiatimes.com/city/goa/Will-support-cyber-security-initiatives-CM/articleshow/18899132.cms">the prize money was provided by an Indian government official</a> and was <a href="https://www.facebook.com/photo.php?v=574303972588033&amp;set=vb.138904662794635&amp;type=2&amp;theater">awarded to the Garage4Hackers</a> team. The co-founder of the Nullcon conference, Antriksh Shah, said "At Nullcon Goa 2013, for the first time in the world the government has come forward and announced a bounty prize of Rs 35,000 to whoever provides critical information on the command and control servers of a malware recently found in one of the government installations in India," and then tweeted, "Dawn of new infosec era. Govt of India announced (and actually paid) first ever bounty (Rs. 35 k) at nullcon to take down a c&amp;c." When asked whether this was a live botnet, or a simulated botnet held within a safe and isolated virtual network where no harm could result, <a href="https://twitter.com/nullcon">Nullcon</a> tweeted, "it was a live campaign up since a couple of yrs and the malware was found in a gov. Infra."</p>
<p><a href="http://honeynet.org/node/1031" target="_blank">read more</a></p>botnetethicstakedownMon, 11 Mar 2013 08:54:58 +0000david.dittrich1031 at http://honeynet.orgKelihos.B/Hlux.B botnet takedownhttp://honeynet.org/node/833
<p>On Wednesday, March 21, 2012, an operation by security experts from Dell SecureWorks, CrowdStrike, Kaspersky, and the Honeynet Project was initiated to sinkhole infected computers in the Kelihos.B/Hlux.B botnet. The objective of this action was to remove from the attacker's control all computers currently infected with the Kelihos.B/Hlux.B malware by poisoning the peer lists and routing tables in the lower layers of command and control. This will prevent the botnet operator from doing any more harm with this set of infected computers.</p>
<p>Control of the botnet with over 129,000 infected hosts was successfully obtained. These bots are no longer in control of the botherder, and, as a result, are no longer involved in sending spam, the primary malicious activity of this botnet. The hosts resided primarily in Poland (24%) and were primarily running the old operating system Windows XP (84%). The command-and-control infrastructure has been abandoned by the gang that was operating the botnet two days after the operation. We can say that the Kelihos.B/Hlux.B botnet was successfully disabled.</p>
<p>For more information, we refer to:<br />
<a href="http://blog.crowdstrike.com/2012/03/p2p-botnet-kelihosb-with-100000-nodes.html">http://blog.crowdstrike.com/2012/03/p2p-botnet-kelihosb-with-100000-nodes.html</a><br />
<a href="http://newsroom.kaspersky.eu/en/texts/detail/article/how-kaspersky-lab-and-crowdstrike-dismantled-the-second-hluxkelihos-botnet-success-story/">http://newsroom.kaspersky.eu/en/texts/detail/article/how-kaspersky-lab-and-crowdstrike-dismantled-the-second-hluxkelihos-botnet-success-story/</a><br />
<a href="http://www.secureworks.com/research/threats/waledac_kelihos_botnet/">http://www.secureworks.com/research/threats/waledac_kelihos_botnet/</a></p>
<p><a href="http://honeynet.org/node/833" target="_blank">read more</a></p>botnetKelihos.B/Hlux.BtakedownSat, 31 Mar 2012 21:03:33 +0000christian.seifert833 at http://honeynet.orgThoughts on the Microsoft's "Operation b71" (Zeus botnet civil legal action)http://honeynet.org/node/830
<p>On Sunday, March 25, Microsoft announced that for the fourth time, they had gone to a federal court and successfully obtained an ex parte temporary restraining order (TRO) to seize domain names from botnet operators. For the second time, the court has also ordered U.S. Marshals to accompany Microsoft and others to serve search warrants and seize evidence that can be used in future civil or criminal actions.</p>
<p><a href="http://honeynet.org/node/830" target="_blank">read more</a></p>botnetethicslegaltakedownWed, 28 Mar 2012 04:56:16 +0000david.dittrich830 at http://honeynet.org